FLRTVC - Fix Level Recommendation Tool Vulnerability Checker

FLRTVC Script and Documentation

The Fix Level Recommendation Tool Vulnerability Checker Script (FLRTVC) provides security and HIPER (High Impact PERvasive) reports based on the inventory of your system. FLRTVC Script is a ksh script which uses FLRT security and HIPER data (CSV file) to compare the installed filesets and interim fixes against known vulnerabilities and HIPER issues.

FLRTVC also exists as an online reporting tool which may be accessed from our FLRT website at FLRTVC Online. FLRTVC Online uses data from FLRT (aparCSV) to compare against the installed filesets (lslpp -Lcq) and interim fixes (emgr -lv3) to report your risks.

This webpage was developed based on feedback received from customers at Edge2015. We welcome your feedback on this tool and ways to improve it! Please use the Feedback button on the FLRT page or visit the FLRT IBM developerWorks Community.

Also, please follow us on Twitter - @IBM_FLRT

Download

To download, click the download link below and save to a folder. It is packaged as a ZIP file with the FLRTVC.ksh script and LICENSE.txt file.

Download: FLRTVC (v0.7)

Note:The script requires ksh93 to use. If you are receiving errors when running the script, you may execute the script using "ksh93 flrtvc.ksh". As of v0.7, only non-fixed vulnerabilities will be showed by default. Use -a to show all.

Changelog

Please read the latest changelog to see important changes to FLRTVC.

License

The FLRTVC script is licensed under IBM Public License Version 1.0.
You may read the license here: http://opensource.org/licenses/IPL-1.0

Documentation

The FLRTVC script works by downloading an "apar.csv" file from the FLRT website using CURL or WGET, whichever your machine has installed. Then, it uses the commands "emgr -lv3" for interim fixes and "lslpp -Lcq" for installed filesets, and compares to the vulnerabilities reported in the apar.csv file. FLRTVC will report any findings using one of two formats: Compact and Full (verbose). Compact is preferable for scripting purposes, and full reporting is for a more human-readable format that may be piped to an e-mail address.

Please see below for the flags and different usages:

Flags

-d = Change delimiter for compact reporting
-f = File selection for *.csv file
-q = Quiet mode, hide compact reporting header
-s = Skip download, use default apar.csv file
-v = Verbose, full report (for piping to email)
-g = Grep for filesets with phrase, useful for verbose mode
-t = Type of APAR [hiper | sec]
-l = Enter a custom LSLPP output file, must match lslpp -Lqc
-e = Enter a custom EMGR output file, must match emgr -lv3
-x = Skip EFix processing
-a = Show all fixed and non-fixed HIPER/Security vulnerabilities

Examples

Compact Formatting
# /flrtvc.ksh -c

Verbose Formatting
# ./flrtvc.ksh -v

Set a custom CSV file
# ./flrtvc.ksh -f myfile.csv

Report on a specific fileset in verbose mode
# ./flrtvc.ksh -vg printers

Show only hiper results
# ./flrtvc.ksh -t hiper

Custom lslpp and emgr outputs, for reporting on other systems
# ./flrtvc.ksh -l lslpp.txt -e emgr.txt

Grouping flags together
# ./flrtvc.ksh -vf myfile.csv -g printers
# ./flrtvc.ksh -vsg printers